[00:06.580 --> 00:09.500]  Welcome to Software Defined Radios for Aerospace Cyber.
[00:09.500 --> 00:16.360]  This is an introductory talk that will get you going with learning about radio frequencies and the use of SDRs.
[00:20.960 --> 00:27.820]  Software Defined Radios are relatively inexpensive and a great way to learn about the radio frequency world and data communications.
[00:28.040 --> 00:31.400]  In a short period, you can be receiving signals from aircraft.
[00:31.400 --> 00:35.780]  And with a little bit more work, you can be receiving signals from satellites as well.
[00:38.480 --> 00:42.020]  We want to thank our sponsors, Capital Technology University,
[00:42.020 --> 00:45.620]  APS Global LLC, and the Maser Makerspace.
[00:45.620 --> 00:50.180]  We want to give a special shout out to Dan Allen, who engineered and built the badges,
[00:50.180 --> 00:53.960]  and Steve Lozinski, who brought all this together.
[00:54.140 --> 00:58.680]  Our students Zach, Charisse, and Ryan, who helped with the video,
[00:58.680 --> 01:03.980]  and especially everyone who bought a badge to support the village and our project.
[01:07.230 --> 01:10.170]  What you'll learn. The basics of how to use an SDR.
[01:10.170 --> 01:14.610]  Basic radio frequency concepts include frequency, bandwidth, and modulation.
[01:14.610 --> 01:19.450]  And how an SDR converts millions of samples per second into binary data.
[01:19.830 --> 01:26.790]  Software Defined Radios are connected to antennas that collect raw, analog, RF information,
[01:26.790 --> 01:30.530]  and then decode them into binary data that your computer can use.
[01:32.210 --> 01:36.070]  Explore the RF spectrum with your Aerospace Village badge.
[01:36.070 --> 01:41.290]  The badge has an integrated dipole antenna tuned to 1090 MHz,
[01:41.290 --> 01:44.170]  which is the frequency used by ADS-B.
[01:44.170 --> 01:49.390]  In addition, the badge has two terminal blocks connected to the SMA connector,
[01:49.390 --> 01:55.490]  which can be used to connect custom-cut wire lengths tuned to the frequency of interest.
[01:56.210 --> 01:59.690]  Connect the wires and the correct SMA to your SDR,
[01:59.690 --> 02:06.650]  or connect to the other SMA and use the integrated ADS-B antenna, and you're ready to go.
[02:07.590 --> 02:10.250]  This is a lot of fun and very straightforward.
[02:10.250 --> 02:15.190]  You already understand how to install software packages and connect devices to your USB board.
[02:15.250 --> 02:18.770]  Once you learn the fundamentals of RF communications,
[02:18.770 --> 02:22.010]  you'll be able to look at a number of digital signals,
[02:22.010 --> 02:26.470]  understand their protocols, and figure out any vulnerabilities which need to be patched.
[02:26.470 --> 02:33.390]  It's a lot of fun, and all you need is an SDR, some free software, and a couple pieces of wire to get started.
[02:36.540 --> 02:40.660]  You're going to be using the SDR Sharp program. It's free.
[02:40.660 --> 02:44.740]  You plug in your SDR into the USB port.
[02:44.740 --> 02:47.700]  Start up SDR Sharp, push the play button at the upper left,
[02:47.700 --> 02:52.260]  and you can start listening to radio signals and analyzing them immediately.
[02:55.430 --> 03:00.830]  This slide shows some of the terms and how you use the SDR Sharp program.
[03:00.830 --> 03:03.270]  There's a play button that starts receiving.
[03:03.330 --> 03:06.110]  You put in the frequency of the signal you're looking for,
[03:06.110 --> 03:11.270]  and you can push on the top of a number to go up and the bottom of a number to go down in frequency.
[03:11.470 --> 03:17.830]  The display shows the strength of the signals by frequency at this moment,
[03:17.830 --> 03:22.970]  and underneath is a waterfall which shows the strength and frequency over time.
[03:22.970 --> 03:25.570]  On the left side, you've got something called modulation,
[03:25.570 --> 03:31.170]  which is the mathematical operations needed to extract information from the signal,
[03:31.170 --> 03:32.290]  and the bandwidth.
[03:32.530 --> 03:35.550]  On the next screen, we'll be showing a live FM signal.
[03:35.550 --> 03:40.010]  Please pay attention to how the different graphs move over time.
[03:40.010 --> 03:42.510]  That will give you an idea of how the signal is being processed.
[04:25.380 --> 04:31.220]  By watching how the sound moves, how the signal strength grows and decreases over time,
[04:31.220 --> 04:33.800]  it gives you an idea of what's happening with the signal.
[04:33.800 --> 04:38.360]  Now on our next slide, you're going to hear a digital signal and see it in operation.
[04:38.580 --> 04:41.680]  You can't decode it with the human ear. You need a computer for this.
[04:41.680 --> 04:45.920]  You'll notice the digital signals have a distinctive sound.
[05:12.260 --> 05:15.480]  ACARS is essentially text messaging for airplanes.
[05:15.760 --> 05:19.880]  It's a very simple format, uses a few VHF frequencies.
[05:20.260 --> 05:22.580]  It's vulnerable to spoofing.
[05:22.620 --> 05:27.140]  There's no independent authentication such as a digital signature on them.
[05:27.140 --> 05:32.020]  The software is pretty easy to use and the messages can be dumped into a HEX format
[05:32.020 --> 05:36.060]  so you can examine the protocols and even build your own compliant messages.
[05:36.060 --> 05:40.900]  Here are a couple of ACARS messages.
[05:40.900 --> 05:46.340]  You can see the type of aircraft, the flight number if it's available, and other information.
[05:46.360 --> 05:50.820]  These messages can be passed through a further layer of decoding so you can see the contents
[05:50.820 --> 05:59.380]  such as temperature, flight level, fuel remaining, number of passengers, etc.
[06:00.200 --> 06:06.640]  You can dump this into text and you can do even further examination on it.
[06:07.260 --> 06:11.280]  ACARS is pretty cool.
[06:11.280 --> 06:15.060]  It uses a channel normally meant for voice communications to send data.
[06:15.660 --> 06:20.020]  If you see the tall peak at the center, that's the carrier on an AM signal.
[06:20.020 --> 06:26.040]  And they use a device much like a modem used for an old school telephone line to convert digital data to tones.
[06:26.040 --> 06:28.380]  Those are the smaller peaks you see off to the side.
[06:28.380 --> 06:34.180]  Then at the other end, those peaks and those tones are converted back into digital data.
[06:41.530 --> 06:43.990]  ADS-B is very serious business.
[06:43.990 --> 06:46.450]  It's used to manage the airspace.
[06:46.450 --> 06:53.270]  It shows the direction, altitude, speed, and other information needed to keep the airways safe.
[06:53.270 --> 06:56.130]  There's very little verification of these signals.
[06:56.130 --> 06:58.430]  They're vulnerable to spoofing and other attacks.
[06:58.730 --> 07:03.830]  And we need more cyber professionals looking at this to provide the security it deserves.
[07:09.650 --> 07:12.530]  Here is the virtual radar software.
[07:12.530 --> 07:19.270]  This takes the ADS-B output and plots on a map so you can see where aircraft are in relation to you and to each other.
[07:19.270 --> 07:24.390]  There's a lot of information that can be expanded by clicking on a particular aircraft.
[07:24.390 --> 07:27.450]  If you're connected to the internet, you can even bring back pictures.
[07:27.710 --> 07:32.070]  Note that ADS-B is susceptible to spoofing and packet forgery.
[07:32.670 --> 07:35.590]  It's an area where there's a lot more research needed.
[07:39.960 --> 07:43.060]  Dump 1090 provides a neat textual output.
[07:43.060 --> 07:47.160]  It's cool to watch the aircraft as they move, as they climb, as they descend.
[07:47.160 --> 07:50.320]  You can also dump data in a hex format.
[07:50.320 --> 07:55.060]  Now you can look at the protocol and even try and spoof it by building your own packets.
[08:02.820 --> 08:09.100]  Using your badge or other simple antenna, you can download signals directly from satellites right to your PC.
[08:09.760 --> 08:13.860]  You'll have to check the schedule and see what time they're going to pass overhead.
[08:13.880 --> 08:20.200]  Get your antenna outside with no obstructions, and you have a good chance of receiving a great map from a satellite.
[08:23.820 --> 08:28.220]  And here's a NOAA weather image which we downloaded just last week.
[08:28.220 --> 08:31.340]  You can see the Great Lakes in the image. You can see cloud cover.
[08:31.340 --> 08:36.700]  It's pretty cool. If we'd gotten a picture from this week, you could have seen the hurricane coming up the coast.
[08:40.880 --> 08:47.940]  This is really interesting. The satellite is 500 miles above the earth, and yet you're able to receive a picture from it.
[08:47.940 --> 08:51.780]  You see they've got a number of different peaks. Those are different signals it's using.
[08:51.780 --> 08:56.440]  Each one works together with the others to send lots of data in a very short time.
[08:56.440 --> 08:58.480]  That's why the signal is so wide.
[09:02.710 --> 09:07.050]  Software-defined radios are like the Kali Linux of the radio frequency world.
[09:07.070 --> 09:13.190]  If there's a signal you want to look at, if it's in wide use, the odds are someone's built a decoder so you can examine it.
[09:13.590 --> 09:17.910]  Now, you see a picture of a 50-ohm resistor. That's a dummy load.
[09:17.910 --> 09:23.150]  If you do decide to transmit, that'll keep the signal from going more than a few inches or a few feet,
[09:23.150 --> 09:27.090]  so you can safely look at protocols and hack signals.
[09:31.900 --> 09:37.560]  We've been talking about SDR receivers. The HackRF1 is a transceiver.
[09:37.560 --> 09:45.960]  It transmits and receives from 0 to 6 gigahertz. That's way above even 5 gigahertz Wi-Fi.
[09:46.560 --> 09:53.580]  Now, you have to be very careful. There are legal ramifications for transmitting in a way that would interfere with other signals.
[09:53.580 --> 09:59.240]  The HackRF1 is great for research, transmitting things like key fobs,
[09:59.240 --> 10:03.580]  experimenting in a confined area where you know the signal isn't going to get out.
[10:03.720 --> 10:07.920]  Now, if there's concerns about the signal escaping, on the right is what's called a dummy load.
[10:07.920 --> 10:16.300]  It's a 50-ohm resistor that absorbs the energy and keeps it from making it out into the world where it could interfere with things.
[10:16.380 --> 10:18.740]  There are also a number of types of antennas you can get.
[10:18.740 --> 10:27.240]  I'm a directional. They're like a table lamp. Others are unidirectional or directional, which means they're like a flashlight.
[10:31.780 --> 10:40.340]  There are all sorts of signals you can look at with standard Linux tools for examining protocols, for examining hex and binary data.
[10:40.340 --> 10:45.440]  For example, you've got command links to drones. You've got the key fob that opens the doors in your car.
[10:45.440 --> 10:52.040]  Please remember, if you transmit, be very careful. It's dangerous and illegal to interfere with other people.
[10:52.180 --> 10:57.840]  Stay safe and learn the xxd and od commands if you haven't already started working with binary.
[11:02.220 --> 11:07.300]  If you're really excited about this, there are small packs you can put around a HackRF,
[11:07.300 --> 11:14.300]  which will allow you to listen to everything from your electric meter transmitting to boats and cars sending information.
[11:14.580 --> 11:18.860]  Once again, this is a really cool tool for research. Just be smart while you use it.
[11:20.980 --> 11:23.840]  Thank you. If you'd love to know more, please reach out.
[11:23.840 --> 11:28.620]  We'd like nothing more than to see you win next year when it comes to the Hack the Satellite competition.
[11:28.620 --> 11:33.660]  Now, you're going to learn how to set up and install the apps with Zach, Charisse, and Ryan.
[11:36.220 --> 11:41.240]  Hi, I'm Zachary Klein. I'm a student at the University of Maryland College Park.
[11:41.300 --> 11:46.120]  Hi, I'm Carrie Houston, and I'm a student at Tableau Technology University in Oro, Maryland.
[11:46.120 --> 11:56.100]  So now that we have established our antenna and our SDR, we now, in order to actually view those signals and decode them,
[11:56.100 --> 12:02.240]  we need to get a program for that. So we're going to install something called SDR-Sharp.
[12:02.240 --> 12:09.820]  So on the AirSpy website, we're going to install what's called the Windows SDR software package.
[12:09.820 --> 12:17.140]  So once we have that downloaded, we'll have a zip file which we will extract.
[12:20.750 --> 12:28.570]  And so, for the initial installation, we will run the install RTL SDR batch file.
[12:29.030 --> 12:33.630]  And this will handle some of the primary drivers that we'll need.
[12:40.380 --> 12:50.800]  Once that's taken care of, we're going to go at the bottom of this list and look for something called Zodeg.exe.
[12:52.420 --> 12:56.680]  And this will provide some drivers for our SDR device.
[12:57.360 --> 13:02.840]  So in order to find it, we'll go under options, list all devices,
[13:02.840 --> 13:11.220]  and we're going to look for the device once we have plugged in our SDR.
[13:11.560 --> 13:21.100]  So we're going to look for either something that says Bulk Interface Interface 0, or maybe something that says RTL 2832.
[13:22.580 --> 13:33.620]  Once we have that selected, we're going to make sure that we have a USB ID of 0BDA283800.
[13:34.220 --> 13:39.480]  From there, we'll select WinUSB, and we will replace the driver.
[13:40.000 --> 13:42.880]  Since we've already done this, it says Reinstall Driver.
[13:47.020 --> 13:51.140]  Now with this handle, we have SDRSharp installed.
[13:54.580 --> 13:58.300]  Now that you have the software downloaded, it's time to use it.
[13:58.300 --> 14:02.440]  The first thing that you're going to want to do is you're going to want to check the source.
[14:02.820 --> 14:08.880]  So in the drop-down, you want to make sure that you have the RTL-SDR USB and not the TCP.
[14:09.180 --> 14:19.520]  The next thing is you're going to press play, and from there you should see the FM broadcast that your SDR is picking up.
[14:20.250 --> 14:31.350]  In order to see the signal better, you can turn up the RF gauge.
[14:31.350 --> 14:37.290]  You want to slowly do that until you see it peak a little bit more.
[14:46.660 --> 14:53.920]  If you see here, this is your waterfall that you can see over time as the signal is picked up.
[14:56.740 --> 15:00.800]  And if you see the whiff here, that is considered your bandwidth.
[15:01.540 --> 15:07.560]  So now we're going to tune in to a different signal, and this time it's going to be the NOAA's weather station.
[15:39.490 --> 15:43.410]  Zoomed out now so you can see different signals that are being picked up.
[15:45.950 --> 15:51.890]  Now that we've looked at radio stations and other types of signals that can be easily found with an SDRSharp,
[15:51.890 --> 15:55.150]  we're going to look at another easy signal, ADS-B.
[15:55.150 --> 16:03.310]  This is typically used to either prevent airplanes from collisions and other relevant data for air traffic.
[16:04.630 --> 16:13.590]  So first we're going to install a program called Dump 1090, and this program is available on pbworks.com.
[16:14.250 --> 16:19.630]  So once we have that installed, we'll get a zip file and we'll extract that.
[16:26.430 --> 16:31.070]  And there the first thing that we will run is the Dump 1090 batch.
[16:31.470 --> 16:36.430]  If you have any trouble with it, or if your computer says that you have multiple devices,
[16:36.430 --> 16:44.250]  you can add a parameter that will allow you to select that device.
[16:45.850 --> 16:47.730]  Device index.
[17:00.080 --> 17:07.870]  Upon launching, we'll see a terminal window which will display any currently received air traffic.
[17:08.140 --> 17:12.360]  Since we're indoors, we're not likely to receive very many signals.
[17:14.420 --> 17:24.560]  Additionally, if we do receive signals, we can use what's called a virtual radar server to produce a map of these recorded air traffic.
[17:25.600 --> 17:30.000]  So we've shifted so that we moved our antenna outside to receive more signals.
[17:30.320 --> 17:36.200]  And if you can see on our screen here, we've got three different aircraft that we are currently tracking.
[17:43.940 --> 17:50.880]  Alright, using Dump 1090, we're able to see different types of information regarding air traffic.
[17:50.880 --> 18:01.420]  For example, we can see the flight number, as well as the altitude, the speed of the aircraft, the heading number, as well as longitude and latitude.
[18:05.300 --> 18:10.880]  Using virtual radar, we can get the same information displayed on a graphical interface.
[18:23.340 --> 18:26.780]  The next signal we'll be looking at is ACARS.
[18:26.780 --> 18:30.680]  ACARS is essentially messages between the ground and aircraft.
[18:31.740 --> 18:39.380]  So what we'll be using to decode ACARS signals is called ACARS Deco2.
[18:39.380 --> 18:45.460]  And once you install the zip, there will be a batch file.
[18:46.260 --> 18:56.320]  And in here, there are a couple of arguments. You can put up with three arguments for different frequencies that the program will look for ACARS signals.
[18:56.700 --> 19:05.360]  Prior to actually running this, you may have to use SDRSharp to find any active ACARS signals in your area.
[19:05.360 --> 19:21.240]  Since we've already done that previously, we're going to run the program, and we should eventually receive ACARS signals.
[19:25.900 --> 19:29.720]  Here are some examples of previous signals we've recorded.
[19:38.150 --> 19:45.230]  Capturing NOAA weather satellite images can be rewarding, but they require more pre-planning in order to get good results.
[19:45.230 --> 19:54.850]  All that's needed is SDRSharp and an APT decoder, which stands for Automatic Picture Transmission, the type of signal that we're seeking.
[19:56.470 --> 20:01.190]  In preparing SDRSharp for capture, we're going to need to change a few of the settings.
[20:03.150 --> 20:11.970]  Clicking the cog wheel up at the top, we're going to select the sample rate that allows us to cleanly hear an FM station without any sort of stuttering.
[20:15.370 --> 20:18.970]  Then, in the radio tab, we're going to select Wide FM.
[20:19.350 --> 20:25.390]  And then, for the bandwidth, we're going to set it to somewhere between 36 and 50 kHz.
[20:25.390 --> 20:29.190]  And this is only to account for Doppler shifting of the signal.
[20:30.450 --> 20:36.170]  In the recording tab, we're going to check audio and uncheck bass band.
[20:36.350 --> 20:39.170]  And the record button is here when we are ready.
[20:39.970 --> 20:48.890]  Additionally, we can also use the audio noise reduction and IF noise reduction tabs if we have a very noisy signal.
[20:49.110 --> 20:53.930]  In terms of physical preparations, we're going to need to do a weather check first.
[20:54.210 --> 20:57.670]  Clouds or rain are going to significantly affect our reception.
[20:58.150 --> 21:04.890]  We're also going to want to elevate ourselves, be outside, and be distant from any sort of tall obstructions.
[21:04.890 --> 21:06.610]  An open field is ideal.
[21:06.610 --> 21:12.450]  In terms of an antenna, the signal is right-hand circular polarized.
[21:13.150 --> 21:15.330]  So helical antennas are wonderful.
[21:15.470 --> 21:22.810]  However, there is quite a bit of success to be had in just a very simple horizontal half-wavelength dipole.
[21:23.370 --> 21:27.850]  A V-dipole oriented north-south works really well, and it's what we use.
[21:32.600 --> 21:39.400]  Before going out and recording APT signals, we need to know when a satellite is actually passing overhead.
[21:40.500 --> 21:47.720]  Signals can only be received from when the satellite rises over the horizon to when it drops just below the horizon.
[21:48.240 --> 21:54.860]  I'm using n2yo.com in order to provide these time estimations of when we acquire the signal.
[21:55.500 --> 21:59.300]  We also want to check and see what the max elevation is.
[21:59.440 --> 22:08.380]  While about 30 degrees is ideal, we've had successful images received at about 15 degrees minimum.
[22:12.920 --> 22:17.600]  For reference, here's a sample of an ideal APT signal.
[22:17.840 --> 22:26.300]  On the right is a screenshot of what the signal would look like in SDRSharp, and I'm now going to play an audio byte of the signal.
[22:35.310 --> 22:42.330]  Once we have our recording complete, SDRSharp will save the recordings in the respective extracted folder.
[22:42.710 --> 22:46.010]  I'm using the decoder straight forward from here.
[22:46.010 --> 22:49.350]  So we select our file, decode.
[22:49.670 --> 23:01.490]  We can add some post-decode processing, such as placing land and country borders, and then saving the image from here.
[23:04.250 --> 23:14.650]  We can improve the weather images that we capture by either constructing an improved antenna, such as a QFH or a double-cross dipole antenna.
[23:14.650 --> 23:18.430]  You could also use a low-noise amplifier as well.
[23:19.270 --> 23:25.410]  And since we're recording a WAV file, you can also use audio editing in order to reduce the noise.
[23:26.230 --> 23:28.970]  Thanks for the opportunity to present this information.
[23:29.010 --> 23:34.290]  Is there anything else you'd like to see? As you play with it, you'll learn more and you'll have more questions.
[23:34.290 --> 23:40.030]  Please feel free to reach out to us. We'd love to go ahead and provide more videos and more demonstrations for you.
